At the time, officials with the Municipal Water Authority of Aliquippa said the cyber group, known as Cyber Av3ngers, took control of one of their booster stations. An alarm went off as soon as the hack occurred, officials said.

The Aliquippa authority shut down its automated system and went to manual operations, maintaining service without interruption, it was reported.

That attack and others on critical infrastructure systems has led the federal government to develop a playbook to guard against the ever-increasing sophistication of hackers.

It’s a case of constant vigilance that includes common-sense “cyber 101” efforts, like creating strong passwords, firewalls and multi-factor authentication, according to David Hozza, assistant teaching professor for cybersecurity at Penn State’s College of Information Sciences & Technology.

A warning sign is posted on the gate at the Altoona Water Authority’s Mill Run Reservoir. Mirror photo by Patrick Waksmunski

The need for such precautions “is not going to go away any time soon,” said Aaron Moyer, the Altoona Water Authority’s IT services coordinator.

‘Zero trust model’

The Altoona Water Authority “ramped things up,” starting about three years ago, after an incident in Florida that “was an eye-opener for everybody,” Moyer said some months ago.

The Florida incident involved hackers breaking into a system and attempting to increase the feed rate for a chemical, Hozza said, adding that an operator recognized the anomaly and shut the system down, preventing potential harm.

Since then, the Altoona authority has adopted a “zero trust model,” Moyer said.

That is an IT security regimen that requires strict identity verification for every person and device that tries to access resources, according to an online definition.

If the authority can’t keep a device adequately protected, it disconnects that device from the “outside world” — the internet — altogether, Moyer said.

“We pretty much shut off everything,” he said, including internet-connected security cameras.

In the case of a remote pump station, as it was with Aliquippa, that means that instead of making an adjustment of a chemical flow rate from a control station at a central site, an employee might need to drive out to the station to make the adjustment by hand, Moyer said.

The Altoona authority has also adopted multi-factor authentication — the kind of authentication that requires “something you have and something you know,” he said.

Thus employees who interact with relevant control systems would need a key, plus a username and password to get access, he said.

Authority employees attend quarterly meetings of a regional task force, connected with Homeland Security, to keep abreast of the latest guidelines, Moyer said. The meetings focus on vulnerabilities and protective measures, and organizations share best practices, he added.

The effort is still a work in progress, and the authority has been trying to build up its security “a layer at a time,” Moyer said, while being aware of the need not to spend “a ridiculous amount of money.”

While there are best practices that are workable for many organizations, not every recommended practice fits all organizations, he said.

One of the characteristics that sets the Altoona Water Authority apart is having seven treatment plants, he said.

Some organizations have just one.

Not a significant worry

The kind of hacking that occurred in Aliquippa and Florida is not a significant worry for Martinsburg, according to Martinsburg Borough Manager Richard Brantner Jr.

The only function on the Supervisory Control and Data Acquisition-Programmable Logic Control used by the borough authority is the well operation, so the only harmful thing a hacker could do is shut off one of those wells, he said, and that wouldn’t be a big deal.

There are firewalls on that system anyway, Brantner said.

The well pumps are set to come on automatically when the authority’s tank level sinks to a certain level, then to shut off when the tank is full, he said.

The only chemical the authority puts into its water is chlorine, and that isn’t done through an electronic control, Brantner said.

Cybersecurity also isn’t a problem for Williamsburg Borough, because it contracts out that responsibility to a third party firm, according to Brandy Frank, authority office manager.

Logan Township’s Sewer Department also has no cybersecurity issues, because controls connected with the internet are protected through an outside security firm, and other controls situated in the department’s sewer plant aren’t internet-connected, said department Director Dave Pozgar. He feels the operation is “100 percent” safe from hacking.

Three layers of protection

Operations at Bellwood Borough Authority are protected, according to secretary/treasurer Hope Ray.

The authority’s computers contain only customer names and addresses, and reads meters using a cloud-based system not located in-house, she said.

It has three layers of protection, two of which involve third parties, Ray said.

The authority also has no vulnerability related to adding chemicals to the water it distributes, because it buys its finished water in bulk from the Altoona Water Authority, she said.

Billing is handled by an outside computer firm, which provides a repository for all billing information, Ray said.

While none of that information is on authority computers, the computers are protected with a firewall, she said, noting that another third-party vendor handles receipt of payments, including all relevant customer information involved.

‘Old-school’

Tyrone Borough contracted with its consulting engineer a couple years ago to do a cyber-threat analysis of the water and sewer systems, “and we passed with flying colors,” said Borough Manager Ardean Latchford.

There was also a resilience assessment for the Environmental Protection Agency, Latchford said.

It wasn’t hard to reach the satisfactory conclusion: None of the controls in either system are connected to the internet, so there’s no avenue for hacking, Latchford said.

“We’re kind of old-school here,” he said.

While not totally “old-school,” Hollidaysburg Borough officials said they have no cybersecurity issues, as the borough has no SCADA-PLC systems controlling water system functions, according to borough Public Works Director Rick Pope.

The authority gets water meter readings via the internet, but that is not a significant vulnerability, he said. If there were a hacker-caused snag in that setup, it would just mean that workers would need to get readings in person, Pope said.

Hollidaysburg has no cybersecurity issues with its sewer plant either, according to Frank Hicks, director of operations.

None of the systems that control plant processes are connected with the internet, Hicks said, and although monitoring is connected to the internet, no operational changes can be made via that system.

A third-party firm handles the monitoring system anyway, and he’s confident that the firm observes the property cybersecurity protocols, he said.

Reviewing, making changes

Stiffler McGraw and Associates engineering has been reviewing and incorporating recommendations from the Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency to strengthen protections against malicious activity on behalf of Freedom Township Water and Sewer Authority, according to Stiffler McGraw’s LJ Seidel.

The work includes implementation of multifactor authentication for access to operational technology; regular updates using the latest software for the programmable logic controllers; backups for the PLCs to enable rapid recovery; and ensuring that third-party vendors are applying their own countermeasures against hacking, according to Seidel.

Local help available

There is plenty of local expertise available to help organizations vulnerable to cybersecurity incursions, according to Joe Harford, founder of Reclamere in Tyrone, and Zach Beckel, chief technology officer for United Datacom Networks Inc. in Altoona.

Cyberattacks have been increasing locally, but responses tend to be reactive, the pair said.

“I want to turn that around,” Beckel said.

The best thing to do for organizations with cyber vulnerability is to be proactive in developing and executing a cybersecurity plan using a specialized cybersecurity firm.

An annual risk analysis is also recommended, they said, because cyber threats continually evolve, and are highly complex.

The pair are distressed when they read about incidents affecting local companies, they said. “The last thing we want to see is some guy at the soccer game who can’t pay his employees, because he was hit by an attack,” Beckel said.

It’s a “volatile” time, and people need to pay attention, Harford said.

Mirror Staff Writer William Kibler is at 814-949-7038.